Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rewrite this query to get percentage at each range?

sangs8788
Communicator
‎08-09-2018 03:47 AM 
index=sample | eval Latency=case(walltime<500, "0-0.5s",          walltime>=500 AND walltime<1000, "0.5s-1s",           walltime>=1000 AND walltime<3000, "1s-3s",           walltime>=3000 AND walltime<6000, "3s-6s",           walltime>=4000 AND walltime<10000, "6s-10s",           walltime>=10000 AND walltime<30000, "10s-30s",           walltime>=30000, ">=30s")  |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency

The above query gives me in below format

Date | 0-0.5s | 0.5s-1s | 1s-3s | 3s-6s | 6s-10s | 10s-30s
08/08/2018 | 12350 | 20095 | 5530 | 563 | 170 |120
09/08/2018 | 15350 | 10455 | 3430 | 1263 | 1010 |10

I would like to represent this count in terms of Percentage. How do I do the calculation? Please let me know.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-09-2018 04:46 AM

@sangs8788,

If you are looking for a daily percentage, then try

index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
|eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
|addtotals fieldname=total
|foreach * [eval <<FIELD>>=round((<<FIELD>>/total)*100,2)]|fields - total

OR

    index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
    |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
    | untable Date,Latency,RequestCount
    | eventstats sum(RequestCount) as total by Date|eval Percentage=round((RequestCount/total)*100,2)
    | xyseries Date,Latency,Percentage
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-09-2018 04:46 AM

@sangs8788,

If you are looking for a daily percentage, then try

index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
|eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
|addtotals fieldname=total
|foreach * [eval <<FIELD>>=round((<<FIELD>>/total)*100,2)]|fields - total

OR

    index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
    |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
    | untable Date,Latency,RequestCount
    | eventstats sum(RequestCount) as total by Date|eval Percentage=round((RequestCount/total)*100,2)
    | xyseries Date,Latency,Percentage
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-10-2018 12:34 AM

can i have the total count also displayed for each date?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-10-2018 01:14 AM

Yes, if you are using the first search, then remove fields - total from the search
For the second one , if you dont want a chart visualization , remove | xyseries Date,Latency,Percentage

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

poete
Builder
‎08-09-2018 04:44 AM

Hello @sangs8788 ,

please have a look at addtotals (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Addtotals) , and in particular at the last sections of the page.
Once you have the total, you should be able to compute the percentage.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...